Exchange 2010 SP2 and WSP 1.2.1 Beta Comments and Suggestions ABP

Question

Hi folks

First off a big thanks to Omar and Feodor for the latest beta that includes Exchange 2010 SP2 support, good job!!! :)

We have been testing and everything looks ok but I have some comments in regard to the ABP policy support and I would like to suggest some changes are made.

1. During some recent discussions with Greg Taylor from MS it would appear we are no longer required to use the company address list with ABPs. We can simply use the Global Address Book in the ABP and that will suffice. At the moment the ABPs use the company address list and also the global address list and that causes duplicate address list in Outlook as you have two address lists that have the same membership - Compay Global Address List and Company Address List. I would think we should change the code for that?
2. In addition we can also use the Company Global Address List as an input into the OAB, he said this was recommended, although I'm not sure exactly why. You cannot by the way do this using the console, only with the EMS.
3. I would like to see support for Room Lists for each tenant. I dont think that would be too hard to implement. We have customer at the moment asking us for this support.

In summary it was recommended that each tenant had an ABP that used the Company Global Address List as inputs into the GAL and the OAB and the tenants Room List or a blank room list should be used for the Room List input. The Address list input at the bottom of the policy should contain the tenants Room List or any other address list for contacts, distribution groups etc.

At the moment for our setup the All Rooms address list is added into the Room List section of the policy and that is showing all meeting rooms in the organisation that have been migrated to Exchange 2010 from what I can see. This therefore requires we make a manual change to the ABP before we can keep everything segregated. 

Any thoughts, comments on this, would we be able to make this happen?

Again thanks to everyone who was actively involved in the latest beta it is very much appreciated!

Adam

Answer 1

Tenant Room lists are supported in the latest source code.

Answer 2

rdolezel - the issue is that you are using the version prior to the changes that eliminate the need for the soap router fix. If you download the latest it should run under 3.5 framework.

---

Omar Armenteros Virtuworks

Answer 3

Hi Omar

Any feedback on the suggested changes as per the original thread?

Also do you know if anyone is developing a lync module. We would gladly pay someone to develop this for us.

TIA

Adam

Answer 4

I've just installed this beta and all looks good except: Not knowing how the code has been written, how do I deal with OABs for tenants?

The Micosoft SP2 document for hosters has an appendix on removing the OAB extended rights and applying  rights per tenant OAB. Does the new beta code do anything like this?

Or to ask the question in a short way: What do I do to ensure cached mode clients get the correct OAB downloaded? 

Answer 5

The OAB configured in the ABP determines which OAB the client attempts to download. The steps detailed in the document are there only to prevent a bad person from browsing around all available OAB's and attempting to download one they shouldn't.

Answer 6

So regardless of the default OAB setting on the mailstore, as long as there is a correctly built Tenant OAB, Outlook in cached mode will download it? Just want to be absolutely clear on this and that I haven't missed anything. Thanks for your help!

Answer 7

The AutoDiscover logic (which hands out the OAB url for the client) was changed like this;

• If user has an explicitly assigned OAB, return that
• If the user has an ABP defined, pick the OAB from that
• Else if the user’s mdb has an explicitly assigned OAB return that
• Else return default OAB

That is taken from the actual spec I wrote for the feature. Highest priority at the top, working our way down.

Answer 8

John

When you create a tenant what are you seeing populated in the room list section of the ABP. Currently we are seeing All Rooms which is not workable as we have to manually change this after the fact which kind of negates what a control panel is for.

TIA

Adam

Answer 9

Adam this has been fixed in the latest build. Please download it from the beta and it will create seperate rooms for the ADP per tenant.

---

Omar Armenteros Virtuworks

Answer 10

Great thanks a bunch Omar I will test this out. You know you guys should really publish a paypal account so we can donate for your time and effort and show how much we appreciate your hard work. I only wish I had the required knowledge.

Do you know if anyone is looking into archive mailbox support, could I tempt you with this :)

Thanks

Adam 

Answer 11

Hi Omar

For some reason my Beta installation is not seeing the  new update, should it update automatically or do I need to do something else?

Thanks

Adam

Answer 12

Adam,

The Global Address List issue on the OAB is also addressed here:

http://websitepanel.codeplex.com/workitem/207

Hopefully this will make release also.

Answer 13

This issue is addressed. SP2 changes are complete and are already in the beta. Adam, you need to go to the page where the Beta is and there are some ZIP files that are up to date there. All you need to do is un-zip them in the root of the panel folder and they will update your files accordingly, only change files are included. All these changes are in the latest zip files.

---

Omar Armenteros Virtuworks

Answer 14

Omar,

the GAL into ABP  is not in the beta, it isn't in the branch either. When you use the beta code it will add the 'tenantid Address List' to the ABP, not the 'tenantid Global Address List'.

According to several microsoft recommendations this should be the GAL instead of AL.

Frans

Answer 15

What you propose is to replace the address list in the ADP with the GAL of the Tenant? Is this something included in MS hosting guidance? Sorry I havent checked or really know this was an official recommendation can you provide me with any supporting documentation so that we can apply properly?

---

Omar Armenteros Virtuworks

Answer 16

Hello, I have just downloaded the latest March 2012 version of "Multi-Tenancy and Hosting Guidance Exchange Server 2010 SP2" and read everything about OAB carefully. I have found one mistake in my WSP lab setup because I did not pay enough attention to temporary Appendix named "Securing OAB Virtual Directories". First of all I would like to recommend other testers to check this (do not forget to change your real Exchange org name in the following variable):

$BaseOABContainer='CN=Offline Address Lists,CN=Address Lists Container,CN=[Your Exchange Org Name],CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hosting,DC=local'

Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match 'MS-EXCH-DOWNLOAD-OAB'} | fl

If it finds one result, run the following command (this will secure all offline address lists including Default Global Address List against accidental viewing by unauthorized user):

Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match 'MS-EXCH-DOWNLOAD-OAB'} | Remove-ADPermission

This is necessary to check it and modify only once. This should be added to the future WSP config guide for hosted Exchange 2010 SP2 with ABP (without /hosting switch).

And now back to the discussion about OAB, Default GAL. As I have already written I was not able to find any specific instruction given by Microsoft. But if I look on standard on-premise non-hosting Exchange installation (ie. without ABP support) I can see only one Default Global Address List (which is expected). When I look at the Offline Address Book tab it is expected that I will see Default Offline Address Book. When I click on its properties and select Address Lists tab I can see one checkbox checked by default - the description is "Include the default Global Address List".

We, hosters, have to support multiple Global Address Lists, one for each company. I suggest as a best practise and as a standard behaviour to create customer OABs based on customer Global Address Lists. And it does not matter that customer GAL is the same as customer Address List.

Now, when I run Outlook configured for my lab Exchange and choose Send / Receive menu, Send/Receive Groups, Download Address Book... I can choose address book named "\myorg Address List". And this is really customer's address list, not customer's Global Address List named "myorg Global Address List".

Radek

Answer 17

The recommendation that you use the GAL as the source for the OAB is a recommendation, not a support constraint.

The reason for this is that if you have a GAL containing all the objects, why then create an AL will all the same objects in it, just for the OAB. It used to be that you HAD to do this, as OABgen wouldn't respect custom GAL's properly, but we fixed that in SP2 as wel, so now it works perfectly with specified GAL's.

So bottom line is, using the tenant GAL as the source for the OAB is simpler. That's all.

Answer 18

Thanks for quick confirmation.

Answer 19

Just to add to this thread, Omar addressed one of the issues I raised on my original post which was with the tenant Rooms address list which is now supported. I haven't tested this yet but now I know how to apply the updates I will.

Thanks!

Adam

Answer 20

Omar,

Sorry i did mix up some things here. The creation of the Address Book Policy is OK. 

 When creating the Offline Address Book for a tentant, the new beta code uses the tenants Address List as input parameter. This should be the tenants Global Address List. Looking at the HMC4.5 to ex2010 SP2 migration scripts you can see they modify the OAB to be based of GAL and not AL.

Inside the Multi-Tenancy Hosing Guidance for Exchange Server 2010 SP2 document it says:

Address book policy objects are the only supported solution to ensure an authenticated user can access only their own tenant’s GAL, OAB and address list objects. It is important to understand that the GAL specified in the ABP is the effective scope of the user’s directory access. If you choose to create an ABP with multiple address lists, you should ensure the GAL is a superset of those address lists for predictable results.

So microsoft recommends to have the OAB based on the tenant's GAL. I think this should be followed by WSP.

Frans

Answer 21

Hello everbody, 

I have a simple question, hope someone will answer me.

I really can't figure it out - where I can download the source code for WSP that works with Exchange 2010 SP2? Link please..

My steps till now were - I went to  the Codeplex - Forks- select Fork named Exchange2010SP2Support, and click button Download.

We installed WSP Server application to our Exchange 2010Sp2, it doesn't work at all (Cannot add service after adding new Serve from Portal)

Some people told me that I must crete new fork? Why? Do I have to select the specific change set to download complete source code for WSP (that supports Exch2010SP2)? 

Please, just first 2-3 steps how to download the right source code .. (this one now is obviously the wrong one).

Thnx very much!

Answer 22

http://websitepanel.codeplex.com/SourceControl/list/changesets#

Answer 23

I already used this link (Download on the right side) - It didn't work with Exch2010 Sp2.

Please, help.

Answer 24

Feodor / Omar,

Can you update the branch so the OAB is based to the GAL?

http://websitepanel.codeplex.com/workitem/207 

Thanks,

Frans

Answer 25

Yoda-Ict, Yes I can, but so can others and it can be considered for merge into the project. You can update it right from the branch. We really need other developers contributing to the project as well, the programming time that I have spent on this has been when I can, I might be able to get to it over the weekend. If you know the changes that need to be made, you can download my fork and commit the change and we can review. I also have another change that is almost ready that will allow us to add Owners and Editors to public folder security which I might be able to post over the weekend. My time is limited, I operate a large Managed Services Firm which requires most of my time. Others need to do their part as well if this project is going to survive. For those of you who say you might not understand how to program, I made all the SP2 changes with ZERO C# experience so thats no excuse for me =)

---

Omar Armenteros Virtuworks

Answer 26

Hello Omar,

I already contributed some changes as database round-robin and web-folder publishing for the OAB. I will contact Feodor for this to get into the branch of 1.2.1.

Thanks,
Frans

Answer 27

If you know the changes that need to be made, you can download my fork and commit the change and we can review.

Omar Armenteros Virtuworks

Hello Omar,

I downloaded your fork but I am afraid I cannot push changes because I am not authorized to publish into your fork. Do I need to create my own fork?

pushing to https://hg.codeplex.com/forks/virtuworks/exchangesp2research
searching for changes
http authorization required
realm: hg99.codeplex.com
abort: authorization failed
[command returned code 255 Wed Mar 21 15:22:48 2012]

Thanks

Radek

---

-- Radek Dolezel

Answer 28

Radek, sorry yes probably you will need to open a new fork once you have it done let me know and I will make sure that the changes are committed to the main branch.

---

Omar Armenteros Virtuworks

Answer 29

Yoda-Ict - best way to get the contribution in is to create a fork and publish. Also create issue tracker for items that are fixed. Once the fork is completed submit an email to info@websitepanel.net with the fork name and issue item numbers so that we can publish them out to the main fork.

---

Omar Armenteros Virtuworks

Answer 30

Omar - I have just pushed small changes to fork ex2010sp2smallfixes.

Yoda-Ict - I have included your solution for issue Id#207 too.

---

-- Radek Dolezel

Answer 31

Radek, much appreciated I will review the changes and push them through. If we all use this approach in issuing fixes I think we will get a lot further, I cann commit that I will do what I need to do to get forks that make sense into the main branch, we all need to work together =)

Yoda-Ict - for existing ADP's that were created based on my original code what is required to change to be inline with the new code? I would like to manually update my code and I want to understand what setting should be changed in exchange so that all my organizations match. If you can share this with me it would be great, just so that everyone that has downloaded the current code knows what to do to move to this new code.

---

Omar Armenteros Virtuworks

Answer 32

I guess the changes initiated by Yoda-Ict were commited by Feodor two weeks ago - "Added: Auto Distribution of New Mailboxes in Exchange (item #168)".

---

-- Radek Dolezel

Answer 33

Yes, those were he committed them. Yoda-Ict - It would be easier for you to send in these fixes through forks rather than apply the fixes needed in a note on the issue item that would issure the inclusion, send info@websitepanel.net any forks you feel need to be included and they will.

This project will only grow with all of our support, my only intention so far has been to drum up the community, before I went ahead and even attempted to figure out the SP2 changes there were numerous discussions pointing at a mystery person to build the project for us, asking why Microsoft wasnt doing our work. We all rely on this project to serve business purposes, I beleive in contributions via code contributions because it keeps new users engadged, and will bring more developers and speed the development of the project. Small time donations can go a long way if we all do our part.

---

Omar Armenteros Virtuworks

Answer 34

Well, as a long time Subversion user I had to spend some time by learning Mercurial basics but now I can confirm it is much more comfortable for all involved to use forks and pull requests.

And the second note - I had time to read full history on http://social.msdn.microsoft.com/Forums/en-US/wspdiscuss/thread/f7290d5b-dc7d-486d-8b43-036be32485d4 yesterday and I understood finally that no one is going to save us.

---

-- Radek Dolezel

Answer 35

Radek, does this change for the OAB only apply to SP2 or will it work with 2007 -->

---

Omar Armenteros Virtuworks

Answer 36

Hello guys,

Understood, i will create a fork from this moment on to contribute, no problem.

As for the OAB changes; all OAB's created with the current/previous relases (1.2.1.5 and older) will contain the tenant's addresslist as base for the OAB.

This can easily be changed with some powershell code executed from the exchange management shell:

$TenantID = "some_tenant_name"
Get-OfflineAddressBook "CN=$TenantID Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=YOUREXCHANGEORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fabricam,DC=com" | Set-OfflineAddressBook -AddressLists "$TenantID Global Address List"

Make sure you set the path to the Offline Address Book container on your environment!

Answer 37

Omar

I'm more than willing to try and contribute. You state you need no C experience, I am surprised at this. How are you coding if you have no experience?

I guess changes might be easy to fathom out but new feature requests I guess would be a tall order. 

If you could provide some further information on how someone who has no programming experience (apart from Cobol in my college days!)

can help out I am more than willing to attempt to help. Where do I start?

I agree whole heartedly with your previous comments as well.

Thanks

Adam

Answer 38

Radek, does this change for the OAB only apply to SP2 or will it work with 2007 -->

---

Omar Armenteros Virtuworks

My fault, I have just pushed updated version. It was exactly the situation in which an advise from more experienced programmer would help. Is better to hotfix selection with one or to if conditions directly in Exchange2007.cs or is it better to use override the whole method in Exchange2010.cs and maintain source code clearer?

---

-- Radek Dolezel

Answer 39

I have no programming experience in C#, whatever I know of programming in C# has been from poking around this source code, it is well organized and once you understad the basics you will see the even new features are really not that hard to produce. I am trying to get a Document together to document all the things I found confusing, if you are interested in an email I have between me and Feodor explaining the projects basics submit a form at http://www.virtuworks.com/contact I will send you what I have, it helped me understand the project enough to get things done.

---

Omar Armenteros Virtuworks

Answer 40

Radek - in the ADP support I did a conditional statement that checked the version of exchange to check if it was SP2 before allowing ADP support to go through. If you look through my code you will see this, I would suggest doing the same to keep it consistent at this point, putting it in the Exchange2010.cs would allow it on a non SP2 installation, and here we want it to only support SP2 or greater.

---

Omar Armenteros Virtuworks

Answer 41

Great, that's exactly what I did. Please review it, of course.

---

-- Radek Dolezel

Answer 42

OK great, I am definitely up for the challenge. I will submit a form as you suggest.

Thanks

Adam

Answer 43

Guys,

A new problem seems to happen; when i ty to update a distributionlist i get the following error:

'UPDATE_DISTR_LIST_GENERAL' task on '' EXCHANGE ---> Server was unable to
process request. ---> Cannot invoke this function because the current host
does not implement it.

This is a Mail Universal Distribution Group which was created on exchange 2007 and migrated to 2010 SP2.

Any ideas??

Answer 44

Just to be sure, have you updated dist. groups once moved to Ex2010?

"For upgrading the Distribution groups to the new version run the below command in Exchange 2010 EMS.

Get-DistributionGroup –ResultSize Unlimited | Set-DistributionGroup –ForceUpgrade

This will upgrade all the distribution Groups within an Organization to the Exchange 2010 version."

---

-- Radek Dolezel

Answer 45

Radek,

Superb, that solved it! Where did you read about this? I will take a look at it to make sure i didn't forget some other tasks.

Frans

Answer 46

I remembered some issues during stand-alone (non-hosted) Exchange Server upgrade a year ago. Found for example here - http://social.technet.microsoft.com/Forums/ar/exchangesvrgeneral/thread/e60e31b0-28c0-4297-a268-0a115e0e1af6. It was similar problem which I met during Exchange 2003 upgrade to Ex. 2007.

---

-- Radek Dolezel